Headline
CVE-2021-21708: UAF due to php_filter_float() failing for ints
In PHP versions 7.4.x below 7.4.28, 8.0.x below 8.0.16, and 8.1.x below 8.1.3, when using filter functions with FILTER_VALIDATE_FLOAT filter and min/max limits, if the filter fails, there is a possibility to trigger use of allocated memory after free, which can result it crashes, and potentially in overwrite of other memory chunks and RCE. This issue affects: code that uses FILTER_VALIDATE_FLOAT with min/max limits.
Sec Bug #81708
UAF due to php_filter_float() failing for ints
Submitted:
2022-01-30 09:00 UTC
Modified:
2022-02-14 06:07 UTC
From:
dukk at softdev dot online
Assigned:
stas (profile)
Status:
Closed
Package:
Filter related
PHP Version:
8.0.15
OS:
centos 8
Private report:
No
CVE-ID:
2021-21708
[2022-01-30 09:00 UTC] dukk at softdev dot online
Description:
NGINX + php-fpm (versions tested 7.4.27, 8.0.15):
- place files from URL in webserver directory
- Requires PostgreSQL valid (nonce) connection string (edit B.php)
- make request (curl “http://127.0.0.1/A.php”)
- obtain HTTP 502 in client and php-fpm process on server
in A.php change xml attribute val to “+11.” - all if fine. no crash.
this PoC is extracted (stripped-down) from large code-base.
Test script:
https://github.com/MrdUkk/php-sigsegv
Expected result:
expected result is seening PHP Fatal error: Uncaught Error: Class “APIException” not found in A.php:27
Actual result:
HTTP 502 and php-fpm server process crashed
Program received signal SIGSEGV, Segmentation fault. 0x000055ba505e7295 in _emalloc () (gdb) bt #0 0x000055ba505e7295 in _emalloc () #1 0x000055ba505e810f in _ecalloc () #2 0x000055ba504a4977 in timelib_get_time_zone_info () #3 0x000055ba504a6a7f in timelib_unixtime2local () #4 0x000055ba50480c41 in php_format_date () #5 0x000055ba504572bc in php_log_err_with_severity () #6 0x000055ba5045771a in php_error_cb () #7 0x000055ba5045c3aa in zend_error_va_list () #8 0x000055ba5045c991 in zend_error () #9 0x000055ba5045833b in php_verror () #10 0x000055ba5045845c in php_error_docref () #11 0x00007f641246afd4 in pdo_raise_impl_error.cold () from target:/usr/lib64/php/modules/pdo.so #12 0x00007f6412471e72 in zim_PDOStatement_bindValue () from target:/usr/lib64/php/modules/pdo.so #13 0x000055ba50695a50 in execute_ex () #14 0x000055ba50696861 in zend_execute () #15 0x000055ba5060d2db in zend_execute_scripts () #16 0x000055ba505aa488 in php_execute_script () #17 0x000055ba50476af9 in main () (gdb)
Patches
Add a Patch
Pull Requests
Add a Pull Request
History
AllCommentsChangesGit/SVN commitsRelated reports
[2022-01-31 14:47 UTC] [email protected]
-Summary: PHP-FPM sigsegv +Summary: UAF due to php_filter_float() failing for ints -Status: Open +Status: Verified -Package: FPM related +Package: Filter related -Assigned To: +Assigned To: stas
[2022-02-14 06:00 UTC] [email protected]
-Status: Verified +Status: Closed
[2022-02-14 06:07 UTC] [email protected]
-CVE-ID: +CVE-ID: 2021-21708
Related news
Vulnerability in the Oracle Demantra Demand Management product of Oracle Supply Chain (component: E-Business Collections). Supported versions that are affected are 12.1 and 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Demantra Demand Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Demantra Demand Management accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
Red Hat Security Advisory 2022-8197-01 - PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Issues addressed include a use-after-free vulnerability.
An update for php is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-21708: php: Use after free due to php_filter_float() failing for ints * CVE-2022-31625: php: Uninitialized array in pg_query_params() leading to RCE
An update for the php:7.4 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-21707: php: Special character breaks path in xml parsing * CVE-2021-21708: php: Use after free due to php_filter_float() failing for ints * CVE-2021-32610: php-pear: Directory traversal vulnerability
An update for the php:8.0 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-21708: php: Use after free due to php_filter_float() failing for ints * CVE-2022-31625: php: Uninitialized array in pg_query_params() leading to RCE
Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Successful attacks of this vulnerability can result in takeover of Oracle Web Applications Desktop Integrator. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Gentoo Linux Security Advisory 202209-20 - Multiple vulnerabilities have been discovered in PHP, the worst of which could result in local root privilege escalation. Versions less than 7.4.30:7.4 are affected.
The phar_make_dirstream function in ext/phar/dirstream.c in PHP before 5.6.18 and 7.x before 7.0.3 mishandles zero-size ././@LongLink files, which allows remote attackers to cause a denial of service (uninitialized pointer dereference) or possibly have unspecified other impact via a crafted TAR archive.